Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-hardened

From: "Anthony G. Basile" <basile@××××××××××××××.edu>
To: gentoo-hardened@l.g.o
Subject: Re: [gentoo-hardened] ipv6 on by default for hardened profile
Date: Wed, 27 Jun 2012 15:02:27
Message-Id: 4FEAFFC8.2030208@opensource.dyc.edu
In Reply to: Re: [gentoo-hardened] ipv6 on by default for hardened profile by Alex Efros
1 On 06/25/2012 11:03 PM, Alex Efros wrote:
2 > Hi!
3 >
4 > On Mon, Jun 25, 2012 at 08:58:49AM -0500, Matthew Thode wrote:
5 >>> I'm alerting users so that you can make whatever changes you like to
6 >>> ipv6 in your /etc/make.conf. In about 24 hours I will turn on by
7 >>> default ipv6 on all hardened profiles.
8 >> I use ipv6 on all my servers (not that everyone does). We will have to
9 >> enable it eventually, sooner is probably better then later I think.
10 >
11 > Correct me if I'm wrong, but enabling IPv6 mean needs in supporting two
12 > different routing tables and two different firewalls. Also, I suppose
13 > enabling IPv6 on any server/router with non-trivial IPv4 firewall rules
14 > may (and probably will!) result in creating new security holes until admin
15 > will develop IPv6 firewall rules similar to existing IPv4 firewall rules.
16 > And I suppose just trying to duplicate existing rules as is won't be
17 > enough because of new IPv6-specific features, which is absent in IPv4,
18 > and which should be additionally blocked/enabled too.
19 >
20 > If I'm right (about creating new security holes because of enabling ipv6
21 > USE flag) then it may be bad idea to enable it by default until we'll be
22 > sure admin is ready for this (for example, we may check is IPv6 enabled in
23 > kernel and is there exists IPv6 firewall rules).
24 >
25 > BTW, is there exists (Gentoo?) guides/howtos which explain these issues
26 > (preferably from "differences from IPv4" point of view) to average admin
27 > who know how to setup IPv4 and know nothing about IPv6, and provide
28 > minimum recommended configuration for IPv6 routing/firewall? I think
29 > enabling IPv6 by default should begins from writing such docs.
30 >
31
32 Please opt out. USE="-ipv6" in /etc/make.conf
33
34 --
35 Anthony G. Basile, Ph. D.
36 Chair of Information Technology
37 D'Youville College
38 Buffalo, NY 14201
39 (716) 829-8197
Report Message
Find on MARC Find on Google Groups